i'm just trying to authenticate moodle with user key authentication using this plugin. but i'm not sure is this a safe way to authenticate users because this plugin only check whether the user name exist in the moodle database. and anyone can guess the user name and send post request to the end point and it will give you the authenticated url.is anyone know how to make this more secure? or is this way not safe?
From a quick look at the plugin, the one-time URL is created by calling a Moodle webservice. That webservice call is only available to users who have been authenticated via a private token (that would be stored securely on the server that is making the webservice call to retrieve the URL).
As long as you don't give out the private token (e.g. don't include it in JavaScript sent to the user's browser) and as long as you don't grant general permission to generate login URLs, you should be fine.
Disclaimer: I am an experienced Moodle developer, but I have not reviewed the code in question, only the basic principles involved.
Related
I am trying to build an API service that will communicate with another application but I have some concerns about the security of the application. I want it to use token authentication but in all tutorials that I read is said to give the user a hashed token and make requests with it. For example if I want to retrieve a user:
myapp.com/user/1?my_token=<TOKEN>
This token would be checked for example if it contains an existing user with username and password that has the access to this route. But no matter what checks I make on the server if someone knows this token he can send requests from anywhere.
I saw that in Google APIs developers should paste their API_KEY as a query variable but maybe they have some other security checks? Isn't it like putting your username and password as plain text in the query parameters? What is the best way to authenticate users without the possibility of man in the middle attack?
One of requirements for implementing a REST Api is that the client has to send the required state information every time to the server to handle a specific request. Assume authentication is in place and I'm successfully authenticating users to use the rest api, which means with every request i'm verifying that user has rights to access the api.
What if I have multiple users and each user has a different access right. So each user can only call a different set of webservices. I'm wondering how this is normally handled by the server. I figure the only way to do this is to check the authentication of each user(via a password hash code,etc) with each request to verify that he has access rights to the requested service. If that is correct then what are the recommended ways of handling authentication of multiple users in such a scenario?
I'm using flask to develop my api, so any specific suggestions will be much appreciated :)
Thanks in advance.
Authenticate a user first by username and password. Return back a token or hashcode.
Prior to any action you take on the servers api, check the users permission by using the token.
You always want to check permissions on the rest api. They can all make the call to the api. Their permissions is what will determine if they can or can't do the request.
I'm writing a Web API for my users to access their information on my site. However, I'm not sure what type of authentication I should use for such a task.
Here are my intentions:
One of my users develops an app that needs information on their account from my server. He sends me a key and I verify that he's a valid user.
There shouldn't be any 'middle-man' apps that are doing anything on the user's behalf. Just the owner of the account. Currently, I'm using a system where I hash a GUID and the user sends that string to me. I decrypt it, and check my database for that key.
I'm not sure what this method is called, but it seems to work. Does anyone have a better solution that I could use that (probably) better uses web standards?
This question screams: OAuth.
http://oauth.net/2/
More details:
OAuth is an authentication protocol that allows you to approve one
application interacting with another on your behalf without giving
away your password.
Taken from: http://blog.varonis.com/introduction-to-oauth/
I am Java developer and my customer wants to make web application using CKAN.
But he wants too many functions more over CKAN offers or not corresponds with CKAN's architecture.
So I decided to write Java program which has functions that customer wants and calls CKAN's RESTful API using Apache HttpComponent
But I encountered authorization issue.
Because my To-Be system will works without login to CKAN, I have to know users API-KEY when I call some apis need authorization.
But I can't get API-KEY unless login CKAN site(right?) and I think that getting someone's API-KEY by another way is nonsense.
If you don't think so, could you tell me how to get users API-KEY?
I also considered another way making all objects need authorization public.
But some apis send authorization error when I don't put API-KEY in Http header whether the object I intend to handle is public or private
Because of these reasons, development is been delaying.
Could you give me some advice?
The only way to get a user's API key is for the user herself to login to the CKAN web interface and go to their profile page.
If you're writing an API client, the way a client would normally work is to ask the user to enter their username and API key, either in a configuration file or into a GUI.
We are developing an SPA - full client base javascript application and need to authenticate our users to get access to the internals.
As I found from the search we can outsource our authentication mechanism and use Google accounts for that. I learned from this site
https://developers.google.com/accounts/docs/OAuth2Login -
How to deal with Google API and mechanism for authentication.
In the short word, we need:
send request to google url with params to ask user to allow SPA use their personal data
in case of success we get a token from Google
we may use this token to get access to API we were asked and work with it.
This is described well and I understand it and have some JS code to make it happen.
What I do not understand.
I have an application with it's private data. I want use user's e-mail as the login, or user id (doesn't matter how to call it) to access app's internals, such as user's created tasks, user's profile, etc. So, to display user's created tasks in my SPA I need query database with the user's e-mail.
I imagine the next scenario:
user click Login with Google button
we obtain an token - this means user was authenticated successfully
we persist user and his e-mail to work with SPA
when user click Logout we clear all access data
Where should I persist this data?
In case of Forms Authentication I understand that we pass login/password to server and if they match the database we create Forms Ticket and store it in cookie.
Is there any similar case with Google's auth? If I'll store user's email in cookie I think that's not very good from security reason. If I'll save a token - I'm not sure why I need it and how to use it in my SPA, I'm not using any Google API after authentication.
Do you have any example case how do we build our process in similar cases?
Thank you.
If all you need is the user's email address, then you would be better off using OpenID instead of OAuth. OAuth provides access to a user's account and services, scoped to a specific resource or set of resources. OpendID is designed just for logging into a third-party service. You can then extract the user's ID and email address from the OpenID login. Note: The ID will always be sent but the email address has to be explicitly requested during authentication.
Google also supports a hybrid OpenID+OAuth scheme that lets you piggyback OAuth requests on top of an OpenID login if there is some resource you need to authenticate to. Take a look at the authentication document to get an idea of how both protocols work and which is better for your scenario.
Once you have the email address returned, you probably shouldn't persist it in a cookie. The normally recommended way to handle it is to add it as a session parameter. That way only the session cookie is stored on the client, and the server can use it find the values it needs. This answer has a good explanation of the differences and when you want to use sessions versus cookies.